LDAP操作
樹系是否存在
查詢
|
root@smbldap:~# ldapsearch -x -LLL -H ldap:/// -b dc=happy,dc=tc,dc=edu,dc=tw dn: dc=happy,dc=tc,dc=edu,dc=tw objectClass: top objectClass: dcObject objectClass: organization o: happy dc: happy
dn: cn=admin,dc=happy,dc=tc,dc=edu,dc=tw objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin description: LDAP administrator |
1. dc=happy,dc=tc,dc=edu,dc=tw 是整個樹的根(DIT)
2. cn=admin,dc=happy,dc=tc,dc=edu,dc=tw 為管理者
二 增加節點
產生一個 add_content.ldif
這裡將快樂國小成員依校務雲端傳回的資料分成teacher 跟 student 兩個群組
dn: ou=teacher,dc=happy,dc=tc,dc=edu,dc=tw objectClass: organizationalUnit ou: teacher dn: ou=student,dc=happy,dc=tc,dc=edu,dc=tw objectClass: organizationalUnit ou: student dn: cn=teacher,ou=teacher,dc=happy,dc=tc,dc=edu,dc=tw objectClass: posixGroup cn: teacher gidNumber: 5000 dn: cn=student,ou=student,dc=happy,dc=tc,dc=edu,dc=tw objectClass: posixGroup cn: student gidNumber: 5001 |
uidNumber 跟 gidNumber 不可與本机的userid 與 groupid 重覆, 因此建議設定大一點的範圍值
例如 gidNumber , uidNumber都從5000開始
如果此机器規劃只提供新增特定角色, 例如只新增teacher
add_content.ldif
dn: ou=teacher,dc=happy,dc=tc,dc=edu,dc=tw objectClass: organizationalUnit ou: teacher dn: cn=teacher,ou=teacher,dc=happy,dc=tc,dc=edu,dc=tw objectClass: posixGroup cn: teacher gidNumber: 5000 |
新增上述內容
root@smbldap:~# ldapadd -x -D cn=admin,dc=happy,dc=tc,dc=edu,dc=tw -W -f add_content.ldif Enter LDAP Password: adding new entry "ou=teacher,dc=happy,dc=tc,dc=edu,dc=tw" adding new entry "ou=student,dc=happy,dc=tc,dc=edu,dc=tw" adding new entry "cn=teachers,ou=teacher,dc=happy,dc=tc,dc=edu,dc=tw" adding new entry "cn=students,ou=student,dc=happy,dc=tc,dc=edu,dc=tw" |
可以使用 ldapsearch 查詢看看
root@smbldap:~# ldapsearch -x -LLL -b dc=happy,dc=tc,dc=edu,dc=tw ou gidNumber dn: dc=happy,dc=tc,dc=edu,dc=tw dn: cn=admin,dc=happy,dc=tc,dc=edu,dc=tw dn: ou=teacher,dc=happy,dc=tc,dc=edu,dc=tw ou: teacher dn: ou=student,dc=happy,dc=tc,dc=edu,dc=tw ou: student dn: cn=teachers,ou=teacher,dc=happy,dc=tc,dc=edu,dc=tw gidNumber: 5000 dn: cn=students,ou=student,dc=happy,dc=tc,dc=edu,dc=tw gidNumber: 5001 |
新增一名user
此使用者可以是雲端校務系統裡的帳號, 或是任意新增帳號
LDAP server 主机裡一定要有至少一筆資料, 方便讓程式判斷uidNumber
會用到的 objectclass :
|
objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount |
先使用slappasswd產生一組密碼
|
# slappasswd -h {SSHA} -s 123456 {SSHA}NT1Eso7pVbeqRqgwZsvTDYmgAxJ+pQcv |
add_user.ldif
|
dn: uid=igogo,ou=teacher,dc=happy,dc=tc,dc=edu,dc=tw uid: igogo uidNumber: 5000 homeDirectory: /home/teacher/igogo displayName: 愛狗狗 gidNumber: 5000 cn: igogo sn: igogo objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount userPassword: {SSHA}NT1Eso7pVbeqRqgwZsvTDYmgAxJ+pQcv |
|
# ldapadd -x -D cn=admin,dc=happy,dc=tc,dc=edu,dc=tw -W -f add_user.ldif |
查詢
|
# ldapsearch -x -LLL -b ou=teacher,dc=happy,dc=tc,dc=edu,dc=tw objectClass uidNumber gidNumber dn: ou=teacher,dc=happy,dc=tc,dc=edu,dc=tw objectClass: organizationalUnit
dn: uid=igogo,ou=teacher,dc=happy,dc=tc,dc=edu,dc=tw uidNumber: 5000 gidNumber: 5000 objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount
dn: cn=teacher,ou=teacher,dc=happy,dc=tc,dc=edu,dc=tw objectClass: posixGroup gidNumber: 5000 |
接下來自動新增使用者及同步密碼就交給校端更改密碼服務處理
